CVE-2026-22732CRITICAL 9.1EPSS p34.8%

CVE-2026-22732CVE-2026-22732

Description

When applications specify HTTP response headers for servlet applications using Spring Security, there is the possibility that the HTTP Headers will not be written.  This issue affects Spring Security Servlet applications using lazy (default) writing of HTTP Headers: : from 5.7.0 through 5.7.21, from 5.8.0 through 5.8.23, from 6.3.0 through 6.3.14, from 6.4.0 through 6.4.14, from 6.5.0 through 6.5.8, from 7.0.0 through 7.0.3.

Scoring

CVSS 3.19.1 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS0.44% probability of exploitation · percentile 34.8% · 2026-06-18T12:00:27Z
Published2026-03-19
Last modified2026-04-16

Underlying weaknesses· 1

CWE-425

References

  1. https://spring.io/security/cve-2026-22732

1

TypeTargetConfidenceTier
WeaknessDirect Request ('Forced Browsing')cwe-4250%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-41841
CVE
CVE-2026-41706
CVE
CVE-2026-41842
CVE
CVE-2026-41003
CVE
CVE-2026-22733
CVE
CVE-2026-41853
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.